CVE-2024-13207: 
WordPress vulnerability analysis and mitigation

The Widget for Social Page Feeds WordPress plugin before version 6.4.2 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered in early 2025 and assigned CVE-2024-13207. The issue affects the plugin's settings functionality, specifically impacting WordPress installations, including multisite setups (WPScan, NVD).

The vulnerability stems from improper sanitization and escaping of certain plugin settings. The issue is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). According to CISA's assessment, the vulnerability has a CVSS 3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even in environments where the unfiltered_html capability is explicitly disallowed. This is particularly concerning in multisite WordPress setups where such restrictions are commonly implemented (WPScan).

The vulnerability has been patched in version 6.4.2 of the Widget for Social Page Feeds WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).